[Bug 801501] Re: [MIR] nova
Thanks for the detailed report Jamie. As discussed on IRC, the server team will have an active role in supporting this regarding bug fixes, and active involvement in supporting the security team as required. Thanks. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to nova in Ubuntu. https://bugs.launchpad.net/bugs/801501 Title: [MIR] nova To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nova/+bug/801501/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 801501] Re: [MIR] nova
Thanks Dave. This is satisfactory to the security team. Please continue to work with upstream on the 'sudoers problem' so that can be resolved for 12.04. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to nova in Ubuntu. https://bugs.launchpad.net/bugs/801501 Title: [MIR] nova To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nova/+bug/801501/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 801501] Re: [MIR] nova
promoted ** Changed in: nova (Ubuntu) Status: New = Fix Released -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to nova in Ubuntu. https://bugs.launchpad.net/bugs/801501 Title: [MIR] nova To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nova/+bug/801501/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 801501] Re: [MIR] nova
** Changed in: nova (Ubuntu) Assignee: Ubuntu Security Team (ubuntu-security) = (unassigned) -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to nova in Ubuntu. https://bugs.launchpad.net/bugs/801501 Title: [MIR] nova To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nova/+bug/801501/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 801501] Re: [MIR] nova
Kees and I discussed this today, so I will summarize the conversation (keep in mind I have not reviewed the code personally and Kees only performed a shallow audit): * Size and scope: nova is a very large and complex piece of software with many daemons listening on the network and there is too much code to audit in any depth in time for this MIR. It would take significant resources to thoroughly audit the code * Upstream: very active, good community, and concerned about security with code that is of good quality, relatively easy to read and audit with authentication and security as part of the design * Frontend: APIs seem generally ok * Backend: way too much access via sudoers. If there is a security vulnerability that allows shell access as the nova user, then that user can become root easily in various ways. The best path to fixing this is adjusting the 40+ commands to be wrapped, and have this wrapper rigorously verify its input. Eg, instead of 'chown' in sudoers, use 'nova-wrap chown', then 'nova-wrap' verifies the paths to chown to ensure that it is modifying only the files it is supposed to. It would be even better if 'nova-wrap' was also then confined via AppArmor so there is MAC enforcement for these file accesses. Verifying access to network interfaces and items not associated with the filesystem also should be done. As an intermediate step, regexes could be used for file access in sudoers (but be wary of symlink bypasses) with 'nova-wrap' only being used for things like 'ip', 'ifconfig', etc, but it is the opinion of the security team that all privileged commands should be wrapped with extensive input validation, especially in time for 12.04. At this point it might be worthwhile to look at what nova is replacing (Eucalyptus) and how it compares since Eucalyptus used to be in main (it should be noted that the security team was not part of the MIR process for Eucalyptus). Nova compares favorably to Eucalyptus in terms of code quality, design, auditability and design. Nova currently suffers the same 'sudoers problem' as Eucalyptus, but I understand work is being done to fix this. All that said, the security team is not prepared to sign off on nova's inclusion in main if we are expected to support it alone. If there are upstream commitments and commitments from the Ubuntu Server team to aid in its support, then it seems 'ok enough' to promote at this time. As nova is a new project, I have concerns about these commitments with our older releases (eg, supporting the version of nova released with 12.04 in 2016). Could someone from the MIR team other than Kees make the decision to promote Nova or not? Kees has a conflict of interest since there is no clear security sign off from our team at this time. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to nova in Ubuntu. https://bugs.launchpad.net/bugs/801501 Title: [MIR] nova To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nova/+bug/801501/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 801501] Re: [MIR] nova
Replacing the plain sudoers by a more precise argument-filtering wrapper is in the works, but won't happen in Oneiric. See https://blueprints.launchpad.net/nova/+spec/nova-rootwrap and lp:~ttx/nova/privsep2 -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to nova in Ubuntu. https://bugs.launchpad.net/bugs/801501 Title: [MIR] nova To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nova/+bug/801501/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 801501] Re: [MIR] nova
This is a step in the right direction (regex arg filtering is better than filename-glob filtering), but I think this probably needs to have even more logic built in. For example, running ip ... $interface ... might need logic to have the wrapper look up the interface and decide if it is actually a nova-controlled interface, etc. Overall, the trajectory for this design looks fine -- there is a well-defined boundary between nova and root. Continuing to get it even more highly specified is the right way to go. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to nova in Ubuntu. https://bugs.launchpad.net/bugs/801501 Title: [MIR] nova To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nova/+bug/801501/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 801501] Re: [MIR] nova
Quick notes: * should use /run instead of /var/run * while it's nice to have the sudoers split, the sudoers fragment is wildly permissive (chown as root is trivial to exploit). I would recommend specific helper scripts that validate the logic of the requested dangerous commands (see the similar stuff in euca). This is a rather large chunk of python daemons. I think a much more complete security audit should be done, but that's not something I have time for at the moment. On the up side, the code looks generally well designed, though not really made to resist malicious admin use. Given the scope of its intended use, I think it would be wise to keep this out of main until it can really be more heavily audited. Trying to map the dispatch actions to the possible code paths would probably take some effort, and I'm worried that some of the web objects might have unexpected exposed functions. Though perhaps I'm just not familiar enough with the WSGI code. ** Changed in: nova (Ubuntu) Assignee: (unassigned) = Ubuntu Security Team (ubuntu-security) -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to nova in Ubuntu. https://bugs.launchpad.net/bugs/801501 Title: [MIR] nova To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nova/+bug/801501/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 801501] Re: [MIR] nova
** Description changed: - Work in progress / Incomplete. - - Build dependencies... - * python-carrot binary and source package is in universe - * python-amqplib binary and source package is in universe - * python-glance binary and source package is in universe - * python-novaclient binary and source package is in universe - - Binary dependencies... - * ajaxterm binary and source package is in main. - * iscsitarget binary and source package is in universe - * nova-common binary and source package is in universe - * nova-compute binary and source package is in universe - * python-amqplib binary and source package is in universe - * python-carrot binary and source package is in universe - * python-glance binary and source package is in universe - * python-nova binary and source package is in universe - * python-novaclient binary and source package is in universe - * socat binary and source package is in universe - * user-mode-linux does not exist (pure virtual?) - * xen-linux-system does not exist (pure virtual?) + Rationale: Part of the server-o-openstack specification. + Security: No known security history, however it needs to have a security review by the security team. There is a known security bug (Bug: 832507) + Quality Assurance: Package works out of the box but it needs to be configured for your specific setup. There is no major bugs in Ubuntu and the is no major bugs in Debian. + Standards Compliance: FHS and Debian Policy compliant. + Maintenance: Python package that the Ubuntu Server Team will maintain. + Dependencies: The majority of packages have been added to main.. but there is still some outstanding. ** Changed in: nova (Ubuntu) Status: Incomplete = New -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to nova in Ubuntu. https://bugs.launchpad.net/bugs/801501 Title: [MIR] nova To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nova/+bug/801501/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 801501] Re: [MIR] nova
** Changed in: nova (Ubuntu) Milestone: ubuntu-11.10-beta-1 = ubuntu-11.10-beta-2 -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to nova in Ubuntu. https://bugs.launchpad.net/bugs/801501 Title: [MIR] nova To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nova/+bug/801501/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 801501] Re: [MIR] nova
** Description changed: Work in progress / Incomplete. Build dependencies... - * python-carrot binary and source package is in universe - * python-amqplib binary and source package is in universe - * python-glance binary and source package is in universe - * python-novaclient binary and source package is in universe + * python-carrot binary and source package is in universe + * python-amqplib binary and source package is in universe + * python-glance binary and source package is in universe + * python-novaclient binary and source package is in universe Binary dependencies... - * ajaxterm binary and source package is in universe - * iscsitarget binary and source package is in universe - * nova-common binary and source package is in universe - * nova-compute binary and source package is in universe - * python-amqplib binary and source package is in universe - * python-carrot binary and source package is in universe - * python-glance binary and source package is in universe - * python-ipy binary and source package is in universe - * python-nova binary and source package is in universe - * python-novaclient binary and source package is in universe - * socat binary and source package is in universe - * user-mode-linux does not exist (pure virtual?) - * xen-linux-system does not exist (pure virtual?) + * ajaxterm binary and source package is in universe + * iscsitarget binary and source package is in universe + * nova-common binary and source package is in universe + * nova-compute binary and source package is in universe + * python-amqplib binary and source package is in universe + * python-carrot binary and source package is in universe + * python-glance binary and source package is in universe + * python-nova binary and source package is in universe + * python-novaclient binary and source package is in universe + * socat binary and source package is in universe + * user-mode-linux does not exist (pure virtual?) + * xen-linux-system does not exist (pure virtual?) ** Description changed: Work in progress / Incomplete. Build dependencies... * python-carrot binary and source package is in universe * python-amqplib binary and source package is in universe * python-glance binary and source package is in universe * python-novaclient binary and source package is in universe Binary dependencies... - * ajaxterm binary and source package is in universe + * ajaxterm binary and source package is in main. * iscsitarget binary and source package is in universe * nova-common binary and source package is in universe * nova-compute binary and source package is in universe * python-amqplib binary and source package is in universe * python-carrot binary and source package is in universe * python-glance binary and source package is in universe * python-nova binary and source package is in universe * python-novaclient binary and source package is in universe * socat binary and source package is in universe * user-mode-linux does not exist (pure virtual?) * xen-linux-system does not exist (pure virtual?) -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to nova in Ubuntu. https://bugs.launchpad.net/bugs/801501 Title: [MIR] nova To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nova/+bug/801501/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 801501] Re: [MIR] nova
** Description changed: Work in progress / Incomplete. - Build depends to resolve before this can progress: - * python-gflags binary and source package is in universe - * python-mox binary and source package is in universe + Build dependencies... * python-carrot binary and source package is in universe * python-amqplib binary and source package is in universe - * python-ipy binary and source package is in universe - * python-sqlalchemy-ext binary and source package is in universe - ... alternative python-sqlalchemy binary and source package is in universe - * python-eventlet binary and source package is in universe - * python-routes binary and source package is in universe - * python-webob binary and source package is in universe - * python-tempita binary and source package is in universe - * python-migrate binary and source package is in universe * python-glance binary and source package is in universe * python-novaclient binary and source package is in universe - * pep8 binary and source package is in universe + + Binary dependencies... + * ajaxterm binary and source package is in universe + * iscsitarget binary and source package is in universe + * nova-common binary and source package is in universe + * nova-compute binary and source package is in universe + * python-amqplib binary and source package is in universe + * python-carrot binary and source package is in universe + * python-glance binary and source package is in universe + * python-ipy binary and source package is in universe + * python-nova binary and source package is in universe + * python-novaclient binary and source package is in universe + * socat binary and source package is in universe + * user-mode-linux does not exist (pure virtual?) + * xen-linux-system does not exist (pure virtual?) -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to nova in Ubuntu. https://bugs.launchpad.net/bugs/801501 Title: [MIR] nova To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nova/+bug/801501/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 801501] Re: [MIR] nova
** Changed in: nova (Ubuntu) Importance: Undecided = High -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to nova in Ubuntu. https://bugs.launchpad.net/bugs/801501 Title: [MIR] nova To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nova/+bug/801501/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 801501] Re: [MIR] nova
** Changed in: nova (Ubuntu) Milestone: oneiric-alpha-3 = ubuntu-11.10-beta-1 -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to nova in Ubuntu. https://bugs.launchpad.net/bugs/801501 Title: [MIR] nova To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nova/+bug/801501/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 801501] Re: [MIR] nova
** Tags added: server-o-mir -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to nova in Ubuntu. https://bugs.launchpad.net/bugs/801501 Title: [MIR] nova To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nova/+bug/801501/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
